[LINK] Fwd: Expert Panel: The Seven Stages of IPv6 Adoption

Kim Holburn kim at holburn.net
Fri Mar 27 22:04:27 AEDT 2009 

On 2009/Mar/27, at 10:04 AM, Karl Auer wrote:

> On Fri, 2009-03-27 at 09:05 +0100, Kim Holburn wrote:
>> Actually I didn't write that paragraph.  Funny though it was.  Is
>> there something wrong with my email client?
>
> Urk, sorry, maybe I misread the quote cascade.
>
>> So we have difficult or slow.  Enticing that is.
>
> TSP is not that hard (and is very simple for Windows users). It  
> remains
> the best all-round solution for now. Once set up, it is essentially
> transparent - you just access v4 and v6 hosts without having to think
> about it at all.[1]
>
>> I have noticed too that having IPv6 enabled on desktop boxes tends to
>> make them run quite a bit slower than without IPv6.
>
> Yep - turn off protocols you don't need.
>
>> been found to be just plain wrong) all bets are off inside the  
>> private
>> network, it has plausible deniability and no personal info leaked.
>
> No, it doesn't really have plausible deniability; it might be hard to
> link the address to a particular computer if there were a lot of
> computers in the internal network, but the more computers there are  
> the
> harder is is to hide one (it leaves traces everywhere) and of course  
> if
> there are few computers it's also no great trick to figure out which  
> one
> was used when. So data is most certainly "leaked", and is certainly  
> not
> "deniable". Though it is questionable whether it is personal data. By
> the way, I note that your internal address is still 192.168.2.3 :-)

I don't think you've got my point.  Yes, my internal address is that  
but it really doesn't get you far and I'm not trying to hide it.  I  
could change it to almost anything.  Routers often keep no logs of  
this.  To track me from my ISP IP requires effort.  Unless I have  
broken the law and you have the help of government agencies, a lot of  
effort.  You will have to ask my ISP and somehow get through the  
layers of privacy laws.  If I am travelling my IP address will  
probably be whatever local ISPs give me.  Each ISP would require  
effort to untangle.

Whereas assuming your IPv6 address comes up in smtp headers it will be  
traceable to a particular machine - if it's a laptop the IPv6 address,  
as I understand it, will be the same wherever you have travelled to  
and it's there in your headers, knowledge but no effort required to  
get it.  That's considerably more information than IPv4 provides.

>>  An IPv6 address on the other hand is somewhat more like a  
>> fingerprint and
>> wouldn't even need the consent of the ISP, it'd be there in the
>> headers.  Privacy leaked without even trying.
>
> Again - no more than with IPv4. I can explain this at greater length  
> if
> you wish. Your own internal address is right there in the headers of  
> the
> email I'm replying to now. I showed it to you. Twice. Do you feel
> invaded?
>
>> The IPv4 private address ranges would be big enough to do that if you
>> wanted to and behind a NAT firewall you really could use any IPv4
>> address you wanted to (as long as you didn't want to talk to the real
>> one).
>
> No, not really. If you used a 10.0.0.0/8, you would run out of  
> addresses
> in about six months. That's quite a far cry from 500 billion years.

My point was that you don't have to use private addresses.  NAT  
doesn't require private ranges.  Apart from really beyond the pale  
addresses like:
0/8,  127/8,  169.254/16,  224/8 - 239/8  and probably some I haven't  
thought of, any IPv4 address would work and would be quite confusing  
(and I haven't mentioned tunnelling or TOR till now either).

As long as you don't mind the occasional collision you have a huge  
range to choose from.  Not of course as big as IPv6 but bigger than  
you would need.  Even through something like TOR your IPv6 address  
would show up!

> In practice, address-hopping doesn't make much sense for very short
> periods. Nor does it make much sense unless you are one of a  
> preferably
> large number of people inside the same subnet, all doing the same  
> thing.
> If it's just your desktop at home, you won't fool anyone :-)
>
> This is all a bit of a furphy though - we were talking about "leaking"
> information, and my point is just that you "leak" no more with IPv6  
> than
> with IPv4.
>
>> I see your point but don't really agree.  In a home network it would
>> be possible to fingerprint actual devices except of course for the
>> possibility of IPv6 spoofing and I'm not sure I know enough to say if
>> that's possible.
>
> We've been here before, haven't we? I distinctly recall having a  
> loooong
> discussion about this. The answer to your "fingerprinting" fears is as
> simple as a three-line packet filter, emulating what a NAT router does
> as a side-effect. Let anything out; let only established and related
> packets back in. Since you don't need NAT with IPv6, you'll be as safe
> as houses. Well, apart from the threats that the users on your own
> network pose; they are still far more likely to do you harm than an
> outsider, either directly or by falling for one of the multitude of
> threats that don't care what address you have, like phishing, bad  
> email
> payloads, malware on portable media and so on.
>
> Regards, K.
>
> [1] Disclaimer: http://www.ipv6now.com.au/about.php

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list